Only allowing office attachements in would have you IT Manager's phone ringing off the hook with complaints from users trying to bring down zips, pdfs, etc.
Sorry Starfire, only allowing office attachmets was just an example, i didn't want to list everything for this discussion. The review of our email policy i am currently undertaking is things like (office docs, works docs, txt files, picture files, pdfs, etc...). Basically, everything that is business critical and block everything else. Instead of doing it the otherway around as you never know what extra stuff may be added which can transmit viral code.
We've tried lots of tactics to help secure what can and can't come down and the users just find ways around them by just getting the sender to rename the attachement with a .doc extension or some such totally bypassing what we are trying to achieve.
I would hope a better e-mail scanner was configured that actually checked the mime type corresponded to the file attachment extension and blocked if anyone tried that trick. Basic practise now i thought ?
Desktop lockdowns also just infuriate them and in a lot of instances I have been ordered to remove them from PCs by the manager who's just had his ear chewed off by a director from some department or other. One guy once jumped on my manager then my director and finally on the chief exec about me personally after I locked down his PC and fitted security screws after he adjusted the dip switches on his graphics card in an attempt to make his programs run faster ... /boggle.
This is a very interesting one. In our environment we dont have an SLA or anything like that to our service users. Infact, once we have configured the machines they can do pretty much what they like to them because they own the machine. A work collegue who works in another environment works differently. They do lock the desktops down completely which is part of their security policy. The reason for this is that there is a SLA against the company who provides the support contract and harsh penalties are imposed if things were not fixed appropriately. Basically, they want to lock the machine down so people cannot break anything, any changes can be made but a change request has to be made to do this. Also, from a legal point of view. they want to ensure that no illegal software is installed because the security administrator would be liable in that case so they want to make sure that no software can be installed. Also, if attack traffic is detected coming from your external ip address, you can again be liable.
Apart from up to date antivirus and updates/patches and a good network security policy and all the usual things, the best defence we can give is education for internal protection and trying to explain just what can happen as a user is browsing dodgy websites or when they are bored and just in a daze on a Friday afternoon opening emails just to pass the time.
In short, the best internal network defence is an educated workforce.
I agree totally. A lot of the work that goes on in the security areas is lacking in basic education of the workforce. However, a defence in depth strategy cannot be overlooked. This also includes patch management. When the Blaster viruse hit, users would not have been to blame for that spreading as it did. Machines not being at the correct patch level was a major reason this worm spread as it did, no amount of education on that would have made a difference. If however some HIDS was installed locally to lock down the types of activity that was required for the Worm to take hold of the machine, the network would have been more protected.
Lol, turned into an essay, hehe. Definately lots of people have different angles on all this, whats anyone elses views or comments on this ?
Cheers and thanks for taking the time to share your views
